Ask The Expert: Linux Security Questions Answered


Thomas Rude
Security Consultant

Are you secure? How do you know? Maybe you've already been hacked. Thomas is just the guy to tell you. From penetration testing to hardening to steganography and forensics, Thomas is Red Hat's foremost security consultant in the field. Just don't ask him what kind of tree he would be, you don't want to know. We did ask him a few things we think you *will* want to know about security.


Q:  Hello Thomas. Give it to us straight. How secure is Linux compared to other operating systems?
 
A:  I don't think this is a clear cut and dry answer. On the surface perhaps someone would look at the number of patches and/or the number of exploits in determining (in)security of an OS. But, I can't say personally I look at the number of exploits as a determining factor. I think it is very important to make a distinction here. And that distinction is between what makes up the Linux OS and what makes up the Linux environment. I look at all of the applications available to Linux as the Linux environment. If you look at exploits for Linux, how many are for the actual operating system itself, versus applications that run on Linux? What makes Linux more secure in my mind is the power given to the user to set the security level for that system. As a user, you can not only turn on or off services, but in many instances, specifically pass options to those services to further tighten the system. Granular control of the system. I like that.
 
Q:  How secure is Linux by default, out of the box?
 
A:  A default installation of Linux today (meaning RH 7.3) is no more or less secure than another OS.
 
Q:  How about after you tweak it?
 
A:  Much more secure. But this depends upon a few variables, and unfortunately these variables don't help the cause for a more secure system. You can tweak a Linux system in such a manner that it is quite secure, and barring not keeping up with patches or physical access to the system, that box should be quite secure. The problem is right now you must be a 'tech person' to really secure a Linux system. If nothing else because much of the tweaking takes place at the command prompt, and unfortunately that scares away a number of users. If there were clean GUI tools available to those who feel more comfortable pointing and clicking, that would be very beneficial.
 
Q:  What types of tools should any seriously-minded admin have in their bag of tricks?
 
A:  Man, there are so many! Where do I start? First, you have to figure out what type of user and what type of system you're working with. Different tools for different intentions. A sys admin would have a set of tools, a network admin another set, an end user a third set, etc. Of course there's always overlap. Here's an 'off the top o' my head' list:

nmap, Nessus, whisker, cgichk, hunt, dsniff, snort, tripwire, swatch, portsentry, lde, TASK & Autopsy, TCT, and the list goes on and on!

(editor's note: Here are links to some of those tools:)

nmap -- port scanner -- www.nmap.org/
Nessus -- network scanner -- www.nessus.org/
whisker -- CGI scanner -- www.wiretrip.net/rfp/
snort -- traffic sniffer -- www.snort.org/
portsentry -- scan detector -- www.prionic.com/abacus/
tripwire -- file integrity auditing tool -- www.tripwire.org/

 
Q:  Is it possible to be too paranoid?
 
A:  Absolutely. Where you set the limits is part of your reality, and that includes resources, beliefs, knowledge, and fear.
 
Q:  What elements are essential to a good security policy?
 
A:  The policy must be clear. Ideally the policy should be concise, to the point. The policy must be complete - in that it must cover the technologies in use at the company and be applicable to all users, including remote users. Also, the policy must state repercussions for infractions and non-compliance. Lastly, if there's not support from the ground to the top, forget it. Support must be across the board.
 
Q:  What issues do you see when reviewing security policies?
 
A:  Typically I find that many policies cover company employees, but not consultants or temporary employees. Also, remote access and data transmissions and storage are areas that are typically lacking in security policies. How do you control the company data as it's viewed by an employee working from home? These types of issues, very tough to deal with, but very critical and potentially very damaging and costly.
 
Q:  What are the best security books and web sites out there?
 
A:  Just as in tools, there are so many (books and sites). At some point you have to break INFOSEC down into focus areas, such as network security, wireless security, data forensics and incident response, etc. Once you have that focus area you can narrow your search for content. Hacking Linux Exposed is good. Maximum Linux Security is another. And definitely keep a watch out for the forthcoming Official Red Hat Security Guide - it will kick some serious doo doo on the wild side.

There are too many excellent web sites. Here are a few, and by no means did anyone attempt to bribe me into a plug (not sure why!);

www.crazytrain.com (ok, so a shameless plug!)
www.linuxsecurity.com
rr.sans.org
www.securityfocus.com

I could go on and on. I have a couple hundred I keep up with. You have to pick and choose your battles, though. The above sites are good for general INFOSEC news along with the nod to specific Linux security there as well.

(editor's note: here are a few web sites to start with:)

Red Hat Security Resource Center -- www.redhat.com/solutions/security/
SANS -- www.sans.org/
CERT -- www.cert.org/
Security Portal -- www.securityportal.com
Packet Storm -- packetstormsecurity.org

 
Q:  Do you recommend having certified security experts on staff? Which certs should they have?
 
A:  While I can't say it's a must to have a 'certified' security expert on staff, I will say it is a must to have dedicated security personnel on staff. If you're a small organization, then you have just one. Larger companies, more INFOSEC personnel. The benefit to having in-house experts versus outsourcing can really be taken down to this one level -- your in-house experts have daily, first hand, working knowledge of not just your systems, but your corporate environment as well. These in-house folks eat, breathe, and sleep security. They are a part of your corporate culture. They're a part of the machine, if you will. Can an argument be made that being a part of the system lends an eye to blindness? Perhaps. But proper checks and balances tip the scales in favor of in-house. The main reason I'm not a vocal proponent of certification is because I've seen too many folks who have certs who cannot perform when the situation presents itself. There is a huge difference in my opinion between knowing something and being able to apply that knowledge in a very dynamic environment.
 
Q:  What's the best crack you've ever seen/caught/participated in?
 
A:  Computer wise? Unfortunately some of the best cracks can't be talked about for legal and safety reasons. And there are (were) so many of them. One that I like was a certain PD (police department) in the state of NY with mobile terminals in the cars were sending wireless clear text data. So when pulling a motorist over and running the plates, all of that was in clear text. Name, license, registration info, record, and bingo was his name-o! Crooks were loving that, as they sat with their own wireless stations sniffing away.

There's also a hospital I know of that uses wireless for patient information (nurses, doctors, and billing staff enter info on mobile wireless laptops). Now serving your name, your social (security number), your prescription, etc. All in clear text. How bad is that?!?!

But, I think Willie Nelson smoking a joint on the roof of the White House takes the honors, hands down.

 
Q:  What's the biggest mistake an admin can make regarding security?
 
A:  Probably being too confident in his/her security. Believing that your systems are safe and secure and resting on your laurels. Also, not having random spot checks on the state of your security. Bad. Very bad. No soup for you.
 
Q:  What do you think of Red Hat Network (RHN) with regard to security?
 
A:  Okay, at first I must say I was skeptical. Only because I'm not a fan of giving away information, signing up for things, etc. Remember the 'too paranoid' question earlier?!!?

However, after much review, I must say that I really like RHN. Solely from a security standpoint, RHN can really make the difference. Let's face it, exploits and holes are found weekly, if not daily. It gets to be a bit tiring keeping up with all of your systems, their patch level, etc. This is not just a 'here's an e-mail letting you know there's a problem', but this is a solution that enables the subscriber to have control over what happens next. i.e. download and apply the update, just download the update, ignore the update, read the advisory, etc. This is good schtick.

 
Q:  What's the deal with those silver pants? (editor's note: Thomas is known around Red Hat as quite the, ummm... snappy dresser...) I know you don't just wear them for Halloween.
 
A:  Dude, you're talkin 'bout my atmospheric re-entry pants! Okay, so who wears silver pants and crushed velvet shirts unless you're an astronaut, it's Halloween,or you're Johnny Cash, right? What can I say? Life is great. Follow a path or blaze your own. Every day is a parade for me. Besides, them there silver pants keep me warm. Not as warm as my leathers (pants), but close. Can I say the women like 'em?
 
Q:  You can, and just have. Thomas, thanks for spending a few minutes with us.